Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Example - Configure Transparent mode on Junos 15.1X49 SRX platform

0

0

Article ID: KB31147 KB Last Updated: 30 Apr 2018Version: 4.0
Summary:

This article provides a configuration example for the Layer 2 transparent mode on Junos 15.1X49 SRX platforms.

Symptoms:
New Layer 2 feature has been introduced since Junos 15.1X49. Due to this, there has been some modification in Layer 2 configuration from Junos 12.3X48 or earlier releases. Junos 15.1X49 provides two kinds of Layer 2 mode: transparent mode and switching mode.

Layer 2 mode is defined using the command:

   set protocols l2-learning global-mode {transparent-bridge/switching}

Transparent mode is the default mode. For SRX Series devices, transparent mode provides full security services for Layer 2 bridging capabilities.  For more detail, please refer to the following link:

This article will describe how to configure transparent mode in Junos 15.1X49 based on the following topology.





For transparent mode in Junos 12.3X48 or earlier releases, please refer to KB21421 [SRX] Configuration Example - Transparent mode on SRX platforms.
Solution:

Configuration

Note: System reboot is required after commit.

set system services ssh
set security policies from-zone Trust to-zone Untrust policy trust-untrust match source-address any
set security policies from-zone Trust to-zone Untrust policy trust-untrust match destination-address any
set security policies from-zone Trust to-zone Untrust policy trust-untrust match application any
set security policies from-zone Trust to-zone Untrust policy trust-untrust then permit

set security policies from-zone Untrust to-zone DMZ policy trust-untrust match source-address any
set security policies from-zone Untrust to-zone DMZ policy trust-untrust match destination-address any
set security policies from-zone Untrust to-zone DMZ policy trust-untrust match application junos-http
set security policies from-zone Untrust to-zone DMZ policy trust-untrust match application junos-https
set security policies from-zone Untrust to-zone DMZ policy trust-untrust then permit

set security policies from-zone Trust to-zone DMZ policy trust-untrust match source-address any
set security policies from-zone Trust to-zone DMZ policy trust-untrust match destination-address any
set security policies from-zone Trust to-zone DMZ policy trust-untrust match application any
set security policies from-zone Trust to-zone DMZ policy trust-untrust then permit

set security zones security-zone MGMT host-inbound-traffic system-services all
set security zones security zone MGMT interface ge-0/0/0.0
set security zones security-zone Untrust interfaces ge-0/0/1.0
set security zones security-zone DMZ interfaces ge-0/0/2.0
set security zones security-zone Trust interfaces ge-0/0/3.0

set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan-20
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-10
set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-10
set interfaces ge-0/0/3 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-10
set interfaces irb unit 20 family inet address 10.0.0.254/24

set protocols l2-learning global-mode transparent-bridge
set vlans vlan-10 vlan-id 10
set vlans vlan-20 vlan-id 20
set vlans vlan-20 l3-interface irb.20

Verification

You can check current Layer 2 mode with the command: show ethernet-switching global-information

root@SRX300>show ethernet-switching global-information
Global Configuration:

MAC aging interval    : 300
MAC learning          : Enabled
MAC statistics        : Disabled
MAC limit Count       : 16383
MAC limit hit         : Disabled
MAC packet action drop: Disabled
LE  aging time        : 1200
LE  VLAN aging time   : 1200
Global Mode           : Transparent bridge  <<<< current Layer 2 mode   

The show ethernet-switching table command is helpful to confirm MAC address table:

root@SRX300> show ethernet-switching table

MAC flags (S - static MAC, D - dynamic MAC, L - locally learned, P - Persistent static, C - Control MAC
           SE - statistics enabled, NM - non configured MAC, R - remote PE MAC, O - ovsdb MAC)


Ethernet switching table : 3 entries, 3 learned
Routing instance : default-switch
    Vlan                MAC                 MAC         Age    Logical                NH        RTR
    name                address             flags              interface              Index     ID
    vlan-100            00:50:56:85:59:d3   D             -   ge-0/0/2.0             0         0
    vlan-100            00:50:56:85:d4:88   D             -   ge-0/0/1.0             0         0
    vlan-100            00:50:56:85:e5:7b   D             -   ge-0/0/1.0             0         0
Modification History:
04/13/2018 fixed typo in security policy name

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search